Cisco, Fortinet, and VMware have launched safety fixes for a number of safety vulnerabilities, together with important weaknesses that might be exploited to carry out arbitrary actions on affected units.
The primary set from Cisco consists of three flaws – CVE-2024-20252 and CVE-2024-20254 (CVSS rating: 9.6) and CVE-2024-20255 (CVSS rating: 8.2) – impacting Cisco Expressway Collection that would permit an unauthenticated, distant attacker to conduct cross-site request forgery (CSRF) assaults.
All the problems, which have been discovered throughout inside safety testing, stem from inadequate CSRF protections for the web-based administration interface that would allow an attacker to carry out arbitrary actions with the privilege degree of the affected consumer.
“If the affected consumer has administrative privileges, these actions might embrace modifying the system configuration and creating new privileged accounts,” Cisco stated about CVE-2024-20252 and CVE-2024-20254.
Alternatively, profitable exploitation of CVE-2024-20255 focusing on a consumer with administrative privileges might allow the risk actor to overwrite system configuration settings, leading to a denial-of-service (DoS) situation.
One other essential distinction between the 2 units of flaws is that whereas the previous two have an effect on Cisco Expressway Collection units within the default configuration, CVE-2024-20252 solely impacts them if the cluster database (CDB) API characteristic has been enabled. It is disabled by default.
Patches for the vulnerabilities can be found in Cisco Expressway Collection Launch variations 14.3.4 and 15.0.0.
Fortinet, for its half, has launched a second spherical of updates to handle what are bypasses for a beforehand disclosed important flaw (CVE-2023-34992, CVSS rating: 9.7) in FortiSIEM supervisor that would outcome within the execution of arbitrary code, in accordance to Horizon3.ai researcher Zach Hanley.
Tracked as CVE-2024-23108 and CVE-2024-23109 (CVSS scores: 9.8), the failings “could permit a distant unauthenticated attacker to execute unauthorized instructions by way of crafted API requests.”
It is value noting that Fortinet resolved one other variant of CVE-2023-34992 by closing out CVE-2023-36553 (CVSS rating: 9.3) in November 2023. The 2 new vulnerabilities are/might be plugged within the following variations –
- FortiSIEM model 7.1.2 or above
- FortiSIEM model 7.2.0 or above (upcoming)
- FortiSIEM model 7.0.3 or above (upcoming)
- FortiSIEM model 6.7.9 or above (upcoming)
- FortiSIEM model 6.6.5 or above (upcoming)
- FortiSIEM model 6.5.3 or above (upcoming), and
- FortiSIEM model 6.4.4 or above (upcoming)
Finishing the trifecta is VMware, which has warned of 5 moderate-to-important severity flaws in Aria Operations for Networks (previously vRealize Community Perception) –
- CVE-2024-22237 (CVSS rating: 7.8) – Native privilege escalation vulnerability that enables a console consumer to achieve common root entry
- CVE-2024-22238 (CVSS rating: 6.4) – Cross-site scripting (XSS) vulnerability that enables a malicious actor with admin privileges to inject malicious code into consumer profile configurations
- CVE-2024-22239 (CVSS rating: 5.3) – Native privilege escalation vulnerability that enables a console consumer to achieve common shell entry
- CVE-2024-22240 (CVSS rating: 4.9) – Native file learn vulnerability that enables a malicious actor with admin privileges to entry delicate info
- CVE-2024-22241 (CVSS rating: 4.3) – Cross-site scripting (XSS) vulnerability that enables a malicious actor with admin privileges to inject malicious code and take over the consumer account
To mitigate the dangers, all customers of VMware Aria Operations for Networks model 6.x are being really helpful to improve to model 6.12.0.
Contemplating the historical past of exploitation relating to Cisco, Fortinet, and VMware flaws, patching is a mandatory and essential first step that organizations have to take to deal with the shortcomings.